12.15 Determining whether a Function is Safe to Call

Some major modes, such as SES, call functions that are stored in user
files. (see Top, for more information on SES.) User
files sometimes have poor pedigrees—you can get a spreadsheet from
someone you've just met, or you can get one through email from someone
you've never met. So it is risky to call a function whose source code
is stored in a user file until you have determined that it is safe.

— Function: unsafep form &optional unsafep-vars

Returns nil if form is a safe Lisp expression, or
returns a list that describes why it might be unsafe. The argument
unsafep-vars is a list of symbols known to have temporary
bindings at this point; it is mainly used for internal recursive
calls. The current buffer is an implicit argument, which provides a
list of buffer-local bindings.

Being quick and simple, unsafep does a very light analysis and
rejects many Lisp expressions that are actually safe. There are no
known cases where unsafep returns nil for an unsafe
expression. However, a “safe” Lisp expression can return a string
with a display property, containing an associated Lisp
expression to be executed after the string is inserted into a buffer.
This associated expression can be a virus. In order to be safe, you
must delete properties from all strings calculated by user code before
inserting them into buffers.